-
1. Re: Assigning a principal to a MDB
Whoops, clicked the wrong button...
I'm in the process of porting over a WebLogic-based application over to JBoss, and the security aspects are giving me an incredible headache. One of the big problems I'm having is in getting a MDB to run with a principal identity.
I've got the following entry in login-config.xml:
<application-policy name="rms-test">
<login-module code="org.jboss.security.auth.spi.IdentityLoginModule"
flag="required">
<module-option name="principal">JMSReceiver</module-option>
<module-option name="roles">
ManageMDBRole,ManageGatewayManagementRole,ManageDeviceRegistrationManagerRole
</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule"
flag="required" />
</application-policy>
The application code includes calls to getCallerPrincipal() in order to record who is responsible for the changes made to a database record.
With the WebLogic version, I simply define the <run-as> parameter for the bean:
<security-identity>
<run-as>
<role-name>ManageMDBRole</role-name>
</run-as>
</security-identity>
The principal and role assignments are defined elsewhere. When the MDB executes, the system figures out which principal to use (JMSReceiver), which subsequently loads in all of the necessary roles (there are several that are required - the login-config shows them).
When I try this in JBoss, the system gives me an "insufficient method permissions" error:
Insufficient method permissions, runAsRole=ManageMDBRole, method=setDeviceRegistration, interface=LOCAL, requiredRoles=[ManageGatewayManagementRole, ManageDeviceRegistrationManagerRole]>
This leads me to believe that the system is not figuring out that the MDB needs to run as though the JMSReceiver principal is authenticated and pick up all of the other necessary role assignments.
What am I doing wrong here? -
2. Re: Assigning a principal to a MDB
I *think* you have to add
<security-identity>
<run-as-principal>yourprincipalthathastherightroles</run-as-principal>
</security-identity>
to the MDB in your jboss.xml. -
3. Re: Assigning a principal to a MDB
jboss-3.2 uses a different notion of the run-as role. It is the ONLY role assumed by the caller, it is not the name of the principal to which roles are assigned.
<security-identity> <run-as> <role-name>ManageGatewayManagementRole</role-name> </run-as> </security-identity>
or role-name could be ManageDeviceRegistrationManagerRole depending on what role the run-as code should assume. The actual principal if needed in the case of a getCallerPrincipal call would have to be established via a custom interceptor that did a JAAS login based on some message properties since JMS as no standard mechanism for specifying the caller's identity.
4.0.x allows a notion similar to weblogic. -
4. Re: Assigning a principal to a MDB
I'm still wrestling with my security problems (2 weeks now) and I still can't find the solution (other than sticking with WebLogic). I've tried using the <run-as-principal> stuff, but that doesn't seem to be helping. Let me provide more detail.
I've got a MDB that listens on a particular queue and, when processing a message, makes calls to a session bean via local interfaces. My MDB is configured with the following:<security-identity> <run-as> <role-name>ManageMDBRole</role-name> </run-as> </security-identity>
I've also created a principal called JMSReceiver, and it is has the following role assignments: ManageMDBRole, ManageGatewayManagementRole, ManageDeviceRegistrationManagerRole. I've defined this, for test purposes, via the following config in login-config.xml:<authentication> <login-module code="org.jboss.security.auth.spi.IdentityLoginModule" flag="required"> <module-option name="principal">JMSReceiver</module-option> <module-option name="roles"> ManageMDBRole,ManageDeviceRegistrationManagerRole,ManageGatewayManagementRole </module-option> </login-module> </authentication>
My first problem is that if I specify a security domain in my jboss.xml file, the application won't let the MDB even get an reference to the session bean:
2004-09-27 18:07:34,400 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException in method: public abstract com.corenetworks.dhgms.ejb.deviceregistrationmanager.DeviceRegistrationManagerLocal
com.corenetworks.dhgms.ejb.deviceregistrationmanager.DeviceRegistrationManagerLocalHome.create()
throws javax.ejb.CreateException, causedBy:
java.lang.SecurityException: Insufficient method permissions, runAsPrincipal=JMSReceiver, method=create,
interface=LOCALHOME, requiredRoles=[], runAsRoles=[ManageMDBRole]
To solve this problem, I need to add the following to the ejb-jar.xml assembly-descriptor:<method-permission> <unchecked /> <method> <ejb-name>DeviceRegistrationManager</ejb-name> <method-name>create</method-name> </method> </method-permission>
I didn't have to do this with WebLogic, so I'm wondering why I need to do it now.
Once I add that information, I can at least get a reference to the session bean. The method I'm trying to execute requires both the ManageGateway and ManageDevice roles. However, when I try to execute the method, I get the following:
2004-09-27 18:09:30,747 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions,
runAsPrincipal=JMSReceiver, method=setDeviceRegistration, interface=LOCAL, requiredRoles=[ManageGatewayManagementRole, ManageDeviceRegistrationManagerRole], runAsRoles=[ManageMDBRole]
2004-09-27 18:09:30,747 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException in method: public abstract void com.corenetworks.dhgms.ejb.deviceregistrationmanager.DeviceRegistrationManagerLocal.
setDeviceRegistration(com.corenetworks.common.util.JungoDevice), causedBy:
java.lang.SecurityException: Insufficient method permissions, runAsPrincipal=JMSReceiver, method=setDeviceRegistration,
interface=LOCAL, requiredRoles=[ManageGatewayManagementRole, ManageDeviceRegistrationManagerRole], runAsRoles=[ManageMDBRole]
When specified in WebLogic, it seems that the <run-as-principal> tag (well, the equivalent) causes WebLogic to load in the principal, which in turn causes all of the roles attached to the principal to also be available. However, this does not appear to be the case with JBoss 4.0.0.
Scott, you mentioned in your previous message that I might have to create my own intercepter. Is that what I'm going to have to do here to have the MDB run as JMSReceiver, with all of the roles that that principal is associated with? Is there some other way to get what I want?
There's something else that is troubling me as well. If I don't specify any security domain at all in the jboss.xml file, everything works fine. I don't even need to include the stuff for the session bean. What's up with that? -
5. Re: Assigning a principal to a MDB
Add "unauthenticatedIdentity" module option as in...
<login-module code="org.jboss.security.auth.spi.IdentityLoginModule"
flag="required">
<module-option name="principal">JMSReceiver</module-option>
<module-option name="roles">
ManageMDBRole,ManageDeviceRegistrationManagerRole,ManageGatewayManagementRole
</module-option>
<module-option name="unauthenticatedIdentity">JMSReceiver</module-option>
</login-module> -
6. Re: Assigning a principal to a MDB
"bossman" wrote:
Add "unauthenticatedIdentity" module option as in...
<authentication>
<login-module code="org.jboss.security.auth.spi.IdentityLoginModule"
flag="required">
<module-option name="principal">JMSReceiver</module-option>
<module-option name="roles">
ManageMDBRole,ManageDeviceRegistrationManagerRole,ManageGatewayManagementRole
</module-option>
<module-option name="unauthenticatedIdentity">JMSReceiver</module-option>
</login-module>
</authentication>
What is that option supposed to do? According to the documentation, this option is used to define the principal that should be assigned to requests that contain no authentication information. The doc says that this principal contains no roles. I need exactly the opposite - I need a MDB to run as a particular principal and make use of all of the roles that are associated with that principal.